European Court declares mass data storage unlawful

After countless court cases in various European countries, the bullet has finally been fired: in a landmark ruling this week, the European Court of Justice ruled that a general obligation to retain telecoms data (data retention) is unlawful for violating the right to privacy. This ruling has far-reaching consequences for surveillance legislation in all EU member states, including the Netherlands.

Previous data retention in the Netherlands

In the Netherlands, since 2009, under the Telecommunications Data Retention Act, everyone's communications data (telephony and internet traffic) were stored by telecoms providers for 12 months and 6 months, respectively, for the investigation and prosecution of criminal offences. This Dutch data retention legislation resulted from the 2006 European Data Retention Directive. However, in April 2014, the European Court of Justice declared this European directive invalid for violating the right to privacy. Subsequently, Minister Opstelten (Justice) refused to repeal the Dutch Telecommunications Data Retention Act, after which a broad coalition of Dutch organisations and companies demanded in summary proceedings that the law be set aside. The plaintiffs in these summary proceedings were Privacy First Foundation, the Dutch Association of Defence Counsel (NVSA), the Dutch Association of Journalists (NVJ), the Dutch Legal Committee for Human Rights (NJCM), internet provider BIT and telecom providers VOYS and SpeakUp. The case was brought by Boekx Advocaten in Amsterdam, and successfully: In a unique judgment (laws are rarely set aside by judges, let alone in summary proceedings), the District Court of The Hague on 11 March 2015 immediately set aside the entire law. Subsequently, the State decided not to appeal, making the judgment final since then. Subsequently, the relevant data were erased from all relevant Dutch telecom companies. This does not seem to have led to any problems in terms of criminal investigation and prosecution so far.

European Court finally makes mincemeat of mass data storage

The European Court's ruling from April 2014 unfortunately still left some room for interpretation as to what extent broad, blanket storage of everyone's communications data could still be allowed, for instance through strict judicial control in advance of access and use of that data. In a Swedish and UK data retention case, the European Court is now cutting that knot in favour of the right to privacy of every innocent citizen on European soil:

"The Charter of Fundamental Rights of the European Union opposes a national regime which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users concerning all electronic means of communication." Thus, the court.

In other words, mass storage of everyone's data to detect and prosecute crimes is unlawful. Indeed, according to the Court, this goes "beyond what is strictly necessary and justified in a democratic society".

In diplomatic terms, the Court is actually saying here that such legislation does not belong in a democratic constitutional state, but in a totalitarian dictatorship. This is also precisely the raison d'être of the Charter of Fundamental Rights of the European Union (inspired by universal human rights) on which the Court's judgment is based.

Consequences for the Netherlands

Recently, Minister Van der Steur ("Security and Justice") submitted another bill to reintroduce a broad, general telecoms retention obligation to the Lower House. Also, a similar bill to recognise and retain the license plates of all cars in the Netherlands (i.e. everyone's travel movements, location data) is currently pending before the Senate. Following the EU Court ruling, both bills are a priori unlawful for violating the right to privacy. The same applies to planned mass storage of cable data under the new Intelligence and Security Services Act (and its international exchange), possible future reintroduction of central databases containing everyone's fingerprints, national DNA databases, national registers containing everyone's financial transactions, etc. etc.

After the current EU Court ruling, there is therefore only one conclusion possible for the Dutch government: both the bill with the new telecoms retention obligation and the bill for mass registration of license plates should be withdrawn immediately. If not, Privacy First will again enforce this in court. The same goes for other bills that threaten to massively violate the right to privacy of innocent citizens.

Read also: https://www.nrc.nl/nieuws/2016/12/22/eu-hof-beperkt-opslag-van-data-tegenslag-voor-terreurbestrijders-5891446-a1537920 & https://www.security.nl/posting/497384/Privacy+First+dreigt+kabinet+met+rechtszaken+na+uitspraak+EU-hof.

Privacy First wishes you happy holidays and a privacy-friendly 2017!